North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: the attack continues..
I'm hosting the company's site and we're not running any type of promotions other than the ones that we have. this is a typical scenario for sites that host these type of content to get attacked. If only i can get through one of those IP's and get the program that's running on them (bot) that will give me a clue where it goes. Attacker IP's these guys are just persistent they are trying to hit port 80 on a dns box. 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 On Sat, Oct 18, 2008 at 12:59 PM, Jay Coley <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Frank Bulk wrote: >> The website is "http://www.betmania.com/" and when I try to connect to it I >> get "Database Error: Unable to connect to the database:Could not connect to >> MySQL". >> >> It's not unusual for betting sites to be DDoSed for ransom. > > Also competition (rival companies) based attacks are extremely common in > the gambling/betting industry as well these days. > > Are you running any special promotions at the same time as your competition? > > - --J > > >> >> Frank >> >> -----Original Message----- >> From: Jay Hennigan [mailto:[email protected]] >> Sent: Saturday, October 18, 2008 10:24 AM >> To: NANOG list >> Subject: Re: the attack continues.. >> >> Beavis wrote: >>> Hello Lists, >>> >>> I'm still getting attacked and most of the IP's i got have been >>> reported. and just this morning it looks as if someone is testing my >>> network. and sending out short TCP_SESSION requests. now i may be >>> paranoid but this past few days have been hell.. just want to know if >>> the folks from these ip's can help me out. >>> >>> Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start >>> Time,Extra Info >>> 18.104.22.168,47198,22.214.171.124,80,TCP_SESSION,2008-10-18 >>> 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156 >>> 126.96.36.199,45379,188.8.131.52,80,TCP_SESSION,2008-10-18 >>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >>> 184.108.40.206,42257,220.127.116.11,80,TCP_SESSION,2008-10-18 >>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >>> 18.104.22.168,4092,22.214.171.124,80,TCP_SESSION,2008-10-18 >>> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >>> >>> First 3 IP's come from AOL, I'll try to see if I can get their attention. >>> >>> Last IP is from a Wildblue Communications WBC-39. >> >> "Beavis", you're running a web server on 126.96.36.199, some sort of >> gambling site. Those who operate web servers generally expect traffic >> to TCP port 80. If you're not aware that you have a web server running, >> then it is most likely your machine that is infected with a bot. >> >> -- >> Jay Hennigan - CCIE #7880 - Network Engineering - [email protected] >> Impulse Internet Service - http://www.impulse.net/ >> Your local telephone and internet company - 805 884-6323 - WB6RDV >> >> >> >> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkj6MisACgkQETh+0NgvOtFHnwCfRYCU4VwNmQRXABtgem4wmWhX > gD8AnRSxyfM67NJKGiYVn1MNYNQ5eaSO > =J0JL > -----END PGP SIGNATURE----- > >